5
CVSSv2

CVE-2018-1327

Published: 27/03/2018 Updated: 08/03/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

Affected Products

Vendor Product Versions
ApacheStruts2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.8, 2.1.8.1, 2.2.1, 2.2.1.1, 2.2.3, 2.2.3.1, 2.3.1, 2.3.1.1, 2.3.1.2, 2.3.3, 2.3.4, 2.3.4.1, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1, 2.3.15.2, 2.3.15.3, 2.3.16, 2.3.16.1, 2.3.16.2, 2.3.16.3, 2.3.17, 2.3.19, 2.3.20, 2.3.20.1, 2.3.20.2, 2.3.20.3, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.24.2, 2.3.24.3, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.28.1, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.5, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.13, 2.5.14, 2.5.14.1

Vendor Advisories

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload Upgrade to the Apache Struts version 2516 and switch to an optional Jackson XML handler as described here strutsapacheorg/plugins/rest/#custom-contenttypehandlers An ...
Oracle Critical Patch Update Advisory - July 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...

Github Repositories

S2-056-DoS 漏洞描述 S2-056漏洞发生于Apache Struts2的REST插件,当使用XStream组件对XML格式的数据包进行反序列化操作,且未对数据内容进行有效验证时,攻击者可通过提交恶意XML数据对应用进行远程DoS攻击。 漏洞编号 CVE-2018-1327 影响版本 Struts 211 - Struts 25141 演示 复现需注意,S2-056消耗的是

cvesearch Just gimme the list & I'll do the work for you None of us are happy about this though Improved speed by up to 100x [root@josh9580-cvesearch ~]# time cve-savepy >/dev/null real 0m0164s user 0m0129s sys 0m0035s [root@josh9580-cvesearch ~]# time cve-checkpy CVE-2017-0861 >/dev/null real 0m3098s user 0m2049s sys 0m0051s [root@josh958

Etrata CI Vuln Scanner What is it? This is a lightweight python script that will load/read a directory of CVEs and allow you to search on them Usage etrata -n struts -v 2332 >'CVE-2017-9787', >'CVE-2017-9791', >'CVE-2017-9793', >'CVE-2017-9804', >'CVE-2017-9805', >'CVE-2018